Sunday, July 17, 2011

Jucheck.exe is the Java update verification process which notifies users about new updates available for the Java software installed on your computer. Unfortunately, it's not uncommon for malicious software authors to use well known and legit file names to confuse users and in some cases to avoid detection. We previously wrote about a Trojan horse masquerading as msiexec.exe. There's also an IRC backdoor Trojan which uses another legitimate file name jusched.exe to trick users into running malicious code on their computers. So, how do you determine whether it's a virus or a legitimate application?

First of all, you should verify that the file is digitally signed and verified by the distributor of software. Jucheck.exe should be digitally signed by Sun Microsystems, Inc., but if the publisher is Unknown then it's probably some kind of malware.

Secondly, you should verify the file location. Legitimate Java software updater runs from C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe. This part \jre1.6.0_01\ may vary depending on the version of the Java software installed on your computer. Malicious software usually runs from Windows temporary folder (%Temp%) or Windows system folder (%Windir%). If the jucheck.exe runs from C:\Users\AppData\Local\Temp\jucheck.exe folder or from C:\Windows\jucheck.exe then you shouldn't allow it to run.

If you got the User Account Control (UAC) message about jucheck.exe from Unknown publisher asking you to make changes to your computer, please click No and scan your computer with legitimate anti-malware software.

Download recommended anti-malware software and run a full system scan to remove this Trojan from your computer.

NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe orwinlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

If you need help removing the jucheck.exe malware, please a comment below. Good luck and be safe online!

12
comments:

Anonymous
said...

So I had this on my computer, and I accidently clicked yes to the UAC. I removed the program from appdata/temp, I ran a couple of virus scans including MalwareBytes and avast. How do I know if I actually removed and or undid any damage?

When I clicked yes, it ran for a sec and then stopped, I am assuming that it installed some malware... But I don't know what malware.

i was having this problem and it was a relatively easy fix. after turning on the hidden folders, i opened malwarebytes and under the more tools tab there was fileASSASSIN. i used this and went to (C:\users\username\AppData\Local\Temp)and selected the juscheck.exe and clicked open, which opens the file in fileASSASSIN and completely removes it from your computer. i havent had the popup ever since.

I went through the process mentioned above and used the FileASSASSIN, and removed it from my comp. I did have to do the manual searching but I did find it and got rid of it. The problem is this was a week ago, and for some reason it's back again. When I click don't allow it just pops rite back up again, and this time I went through the process again, but i can't find it at all this time. Anyone else know what I have to do to make it stop?

To anyone who is seeing the UAC popup, but your anti-malware software is not detecting malware: Did you read the UAC popup to verify that the publisher was unknown? The "article" specifically states that if it's signed by Sun Microsystems, you're safe. Seems to me that if you're trying more than one scan and coming up with nothing, that there is nothing.

To the anonymous troll that said to switch to Linux or get a Mac: NO computer is impervious to viruses and other malware. The only reason you don't hear of Linux or Mac systems being hit is because hackers think about market-share... the vast majority of computers are Windows-based... so... write your malware to attack Windows computers. Duh.

Linux and Mac computers can be attacked by malware, as well... it's just less common. Why else would anti-malware software exist for both types of operating systems.

Hi, as soon as a wacko troll on FB (known to be a programmer) started tormenting me, I got several email attempts to dump a virus, which I deleted. I blocked this nutcake & soon after got a notice to update Java with jucheck.exe. It "looked" OK, but the Sun Microsystems certificate expired almost a year ago -- surely Sun keeps up their digital certificates? Anyway, this is the path -- do you think it's OK?:

C:\Program Files\Common Files\Java\Java Update\jucheck.exe - auto"

My McAfee antivrus scan didn't detect a problem but I will keep hitting "no" on the invitation to update 'til I hear from you.

...BTW, I haven't been able to *find* the file despite many searches, & thus don't know how to delete it or upload it to the Spyware program you mentioned.

I recently got hit by some malware similar to this one. Instead of jucheck.exe, it was named java.exe and no matter how many times I said "No", it just popped up the dialog again. When this dialog pops up, your entire desktop is frozen so you can't go to Task Manager or anything else. Your only choice is to click the "Change when these notifications appear" to get your desktop back, then run msconfig and disable the malware startup option and reboot. I had to scrub the entries in the registry for startup, the "Startup" folder under the menu structure for my account and the registry entry that says "launch this program whenever you launch cmd.exe" Tenacious little bugger! Scrubbing all of those out of my machine, I then went to delete the file. They had diddled the permissions such that I couldn't just delete it; first I had to give my user account full control in order to delete the file. I finally got it all removed, but I can see how any less technically inclined user (I'm a software developer) would just give in and click "Yes"

Blog Archive

Blogroll

Rate This Blog or Leave a Review

About Me

Hi there, and welcome to my humble web presence. I'm Michael Kaur. Malware squasher, geek, and blogger based in Los Angeles, CA. If you'd like to contact me, the easiest way is through email given below or Google+. Simply add me to your Google Plus circles.

DisclaimerThis is a self-help guide. Use at your own risk. Deletemalware.blogspot.com can not be held responsible for problems that may occur by using this information.

About the blogThis blog provides reliable information about the latest computer security threats including spyware, adware, browser hijackers, Trojans and other malicious software. We do NOT host or promote any malware (malicious software). We just want to draw your attention to the latest viruses, infections and other malware-related issues. The mission of this blog is to inform people about already existing and newly discovered security threats and to provide assistance in resolving computer problems caused by malware.